Min read

New Mirai Variants Targeting Latest Vulnerabilities in IoT Devices

Published on 
May 28, 2024
New Mirai Variants Targeting Latest Vulnerabilities in IoT Devices
During April, we have observed new Mirai Malware Variants for IoT devices trying to exploit the following vulnerabilities:


A command injection vulnerability in TBK DVR devices. More than 114,000 devices on the internet were found vulnerable, published on 13/04/2024.


A command injection vulnerability in D-Link NAS devices.  More than 5,500 vulnerable devices on the internet, published on 03/04/2024.

Campaign Overview

This campaign was initially observed starting on 10/04/2024, soon after the exploit for CVE-2024-3273 became available. Subsequently, on 15/04/2024, the exploitation of CVE-2024-3721 began from the same attacker.

We are fully confident that it is the same actor behind both exploits, as the IP addresses and malware samples were identical for both vulnerabilities.

MIRAI Samples Malware Analysis

The botnet attempts to install the same malware across different UNIX architectures. We were unable to identify the specific variant of Mirai, as the source code was made public several years ago. We will refer to the samples as MIRAI UNK001. The following architectures are targeted:

Table 1. Targeted Architectures by New Mirai Variants

We used only one sample for the arm7 architecture for analysis. Through static malware analysis, we can draw the following conclusions:

  • The ELF malware incorporates an anti-debugging function designed to impede analysis. It achieves this by introducing irrelevant variables and locations, making debugging attempts more challenging. Additionally, addresses are dynamically resolved at runtime, adding another layer of complexity to analysis.
Figure 1. Anti debugging functions embedded in the malware
  • It has a function that ensures that malware is executed only one time in a instance called “ensure_single_instance”. This function ensures that only one instance of a program can bind to a particular address and port combination. It attempts to create a socket, bind it to a specific address and port, and if successful, puts it into listening mode. If the binding fails, it retries after cleaning up and possibly killing any conflicting processes.
Figure 2. Function to ensure that the malware gets executed in a single instance.
  • The malware dynamically resolves the Command and Control (C2) address after which it performs DNS lookup. This process is also done dynamically. The malware employs different domains for the Command and Control, and the function appears to be designed to accommodate multiple potential address sources or fallback values.
Figure 3. Command and Control addresses resolved by DNS lookup.
  • After completing these steps, the malware initiates communication between the compromised IoT device (client) and the botnet's command and control (C2) server. All communication between the botnet client and the C2 server is encrypted using four XOR operations. Initially, the malware initializes a table with encrypted strings, followed by the execution of the encryption function, as illustrated in Figure 4. Similar patterns have been observed in Mirai Variant V3G4, which was discovered by Palo Alto Networks. More details about this variant can be found in the following link: Mirai Variant V3G4.
Figure 4. XoR encrypted communication between client and Command and Control Server.
  • Also it has functions to control tcpdump, wireshark etc. This doesn’t seem to be used to stop them, but to manipulate and control them. Once the address is loaded into a register, the program can use it to reference or manipulate the string as needed.
Figure 5. Manipulation and control of packet analysis programs.
  • In the next steps all attack methods are initialized as below:
Figure 6. Methods of Attack initialized for DDoS purposes.

The operator also has the possibility to start or stop this attacks.
   • Another interesting feature is also the presence of a function that performs SSDP search in the local network to find other devices that can be infected.

Other properties that this malware is performing are the following:

   • Attempting to move to “root” directory.
   • Searching for and reading all directories with write permissions.
   • Creating a watchdog process to ensure malware persistence. This step is crucial for preventing reboots and security scans.


The vulnerabilities being exploited are easily exploitable, primarily via command injection, leading to immediate compromise. This likely explains why threat actors operating botnets are targeting these newly discovered vulnerabilities. Additionally, we observed the botnet exploiting other vulnerabilities and conducting further reconnaissance. The graph below illustrates the activities of this botnet herder over the past month.

Figure 7. Activity of Threat Actors during the past month.

Indicators of Compromise







Other Articles